Richard Bejtlich's blog on digital security, strategic thought, and military history.

Saturday, March 08, 2008

Network Security Monitoring for Fraud, Waste, and Abuse

Recently a blog reader asked the following:

You frequently mention "fraud, waste, and abuse" in your writing (for example), most often to say that NSM is not intended to address FWA. One thing I've been wondering though--why is fraud in there? I can see waste (employee burning time/resources on ESPN.com or Google Video) or abuse (pornography, etc), but Fraud seems to be in a different class. If someone is using the network to commit a crime, why shouldn't that be in scope? Indeed, preventing loss (monetary, reputational, of intellectual property) is really the bottom line for a strong security program, correct?

My stance on this question dates back to my days in the AFCERT. Let me explain by starting with some definitions from AFI90-301 (.pdf):

Fraud: Any intentional deception designed to unlawfully deprive the Air Force of something of value or to secure from the Air Force for an individual a benefit, privilege, allowance, or consideration to which he or she is not entitled. Such practices include, but are not limited to:

The offer, payment, acceptance of bribes or gratuities, or evading or corrupting inspectors of other officials.

Making false statements, submitting false claims or using false weights or measures.

Deceit, either by suppressing the truth or misrepresenting material facts, or to deprive the Air Force of something of value.

Adulterating or substituting materials, falsifying records and books of accounts.

Conspiring to carry out any of the above actions.

The term also includes conflict of interest cases, criminal irregularities, and the unauthorized disclosure of official information relating to procurement and disposal matters.

For purposes of this instruction, the definition can include any theft or diversion of resources for personal or commercial gain.

Waste: The extravagant, careless, or needless expenditure of Air Force funds or the consumption of Air Force property that results from deficient practices, systems controls, or decisions. The term also includes improper practices not involving prosecutable fraud.

Abuse: Intentional wrongful or improper use of Air Force resources. Examples include misuse of rank, position, or authority that causes the loss or misuse of resources such as tools, vehicles, computers, or copy machines.

Given these definitions, the first reason I do not think counter-FWA is an appropriate NSM mission is the identification of these actions. Security analysts perform NSM. Security analysts are not human resources, legal, privacy, financial audit, or police personnel. Trying to identify FWA (aside from the obvious, like wasting bandwidth or visiting pornography sites) is outside the scope of the security analyst's profession. If any of the aforementioned parties want to use some content inspection method to identify FWA, that's their job. Security analysts are generally tasked with identifying violations of confidentiality, integrity, and availability.

Second, in many organizations the inclusion of FWA would crowd out other security tasks. I have heard of some monitoring shops who do nothing but FWA because the volume of inappropriate activity seems to dwarf traditional security concerns. I think that is a poor allocation of resources.

Third, I think NSM for FWA is shaky on privacy grounds. Employees really have no expectation of privacy in the workplace, but the degree of monitoring required to identify non-obvious FWA is very invasive. Security analysts avoid reading email and reconstructing Web pages, but FWA investigations essentially rely on that very task. FWA is seldom easily detected using alert-based mechanisms, so identifying real FWA can turn into a fishing expedition where all content is analyzed in the "hope" of finding something bad. I think this is a waste of resources as well.

Having said that, in some cases NSM data can be used to support FWA tasks. However, I do not think FWA investigation should be a routine part of NSM operations.

5 comments:

G
said...

Good post, thanks. I think your last sentence is probably critical... Most of us would probably agree that NSM's primary function shouldn't be to combat FWA. However, since many information security departments are tasked with carrying out investigations at the request of HR, legal, etc, it is simply practical to use the tools at our disposal to conduct these investigations as efficiently as possible. If an NSM sensor can help do that, it should be used.

I think that most in the industry, not just IA but incident response, would say that support of FWA issues has become more and more part of the day-to-day activities we must execute; at least that has been my experience. With the integration of activity monitoring applications (web proxies monitoring the list of sins, etc.) with application firewalls, etc. it seems inevitable that this will continue as it allows non-IA people to look at the alerts/capabilities and think, "hey, this way the incident response team can help us keep tabs on this." Back to the churn of identifying what incident response "is" vs what it "isn't" vs what it "should be".....

Nice try. I worry about insider threats that try to compromise CIA, not surf pr0n. I also do not minimize the "impact of the insider threat." I've often said the impact of the insider threat is greater than other threats, but the rate of occurrence is much lower than what the media and "conventional wisdom" would have us believe.

If you think NSM is a "poor match... to fight FWA" you have probably never watched network traffic.